Skip to content

Direct Syscall in Windows Meterpreter #777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dledda-r7 wants to merge 19 commits into
base: master
Choose a base branch
from
Open

Direct Syscall in Windows Meterpreter #777

dledda-r7 wants to merge 19 commits into from

Conversation

@dledda-r7
Copy link
Contributor

@dledda-r7 dledda-r7 commented Oct 8, 2025
edited
Loading

Direct Syscall in Metsrv

This PR kickstart the usage of the direct syscall implemented by @cdelafuente-r7 in the ReflectiveDllInjection repository. The scopes of this PR are:

Extending the WINAPI

With the initial winapi work we started defining wrappers for system calls for mainly two reasons:

  1. remove the system function from the function import
  2. be able to control the implementation and use direct syscell when possible

Easier direct-syscall loader

Creation of helpers to speedup the extension of direct syscall.
To add new syscalls we need to include the syscall name and the expected arguments to the NtDllFunction lpFunctionsTobeLoaded array and extend the enum NtDllSyscall with the new system call, then we can proceed with the creation of the wrappers and the optional export to themet_api interface.

This pr include the wrappers for the ~90% of function used within metsrv.
Not all of them has been used and this is outside of the scope of this PR. smaller PRs will be done to cover smaller area of the codebase to speedup the testing.

TODO:

  • Make standard wrappers for all the other meterpreter functions
  • Expose the Zw Functions on met_api
  • Add GetProcAddrH
  • Remove strings
Migration with Direct Syscall 
DebugString: "[1384] [MIGRATE] Attempting to migrate. ProcessID=1708, Arch=x64"
DebugString: "[1384] [MIGRATE] Attempting to migrate. PayloadLength=291840 StubLength=317"
DebugString: "[1384] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFF82EAE4E0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2"
DebugString: "[1384] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0"
DebugString: "[1384] [MIGRATE] Got SeDebugPrivilege!"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpWinApiSyscalls = 00000000005ECC90"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECD00; dwCryptedHash = 00000000D33D4AED"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005EC960; dwCryptedHash = 00000000F0D09D60"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005EC9B0; dwCryptedHash = 00000000C5D0A4C2"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECA00; dwCryptedHash = 000000003DEFA5C2"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECA50; dwCryptedHash = 00000000BC3F4D89"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECAA0; dwCryptedHash = 000000004FD39C92"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECAF0; dwCryptedHash = 00000000DE63B5C3"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 0 pStub: 00007FFF82F0D7E8, dwSyscallNr: 24"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 1 pStub: 00007FFF82F0D9A8, dwSyscallNr: 38"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 2 pStub: 00007FFF82F0DC28, dwSyscallNr: 58"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 3 pStub: 00007FFF82F0DCC8, dwSyscallNr: 63"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 4 pStub: 00007FFF82F0DEE8, dwSyscallNr: 80"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 5 pStub: 00007FFF82F0D948, dwSyscallNr: 35"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 6 pStub: 00007FFF82F0D8A8, dwSyscallNr: 30"
DebugString: "[1384] [WINAPI][winapi_kernel32_OpenProcess] Syscall ZwOpenProcess returned: 0"
DebugString: "[1384] [MIGRATE] creating the configuration block"
DebugString: "[1384] [CONFIG] preparing the configuration"
DebugString: "[1384] [CONFIG] Allocating 1036 bytes for transport, total of 1604 bytes"
DebugString: "[1384] [CONFIG] Comms handle set to 00000000000001A4"
DebugString: "[1384] [CONFIG] Total of 1614 bytes located at 0x00000000005D9800"
DebugString: "[1384] [MIGRATE] Config of 1614 bytes stashed at 0x00000000005D9800"
DebugString: "[1384] [MIGRATE] Duplicated Event Handle: 0x3d4"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate stub: 0x000002C991350000 -> 317 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate context: 0x000002C99135013D -> 388 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate payload: 0x000002C9913502C1 -> 291840 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Configuration: 0x000002C9913976C1 -> 1614 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFF82EAE4E0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2"
DebugString: "[1384] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationProcess: 00007FFF82F0D800 NtQueryObject: 00007FFF82F0D6E0"
DebugString: "[1384] [INJECT][inject_via_poolparty][ntdll_init] ZwSetIoCompletion: 00007FFF82F10930"
DebugString: "[1384] [INJECT][inject_via_poolparty] using: poolparty_stub_x64"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty] ctx [000002C9913A0112] lpStartAddress: 000002C991350000 lpParameter 000002C99135013D hTriggerEvent 00000000000003E0"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty] Attempting injection with variant POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 00000000025FA3A0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 00000000C0000004"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] HeapReAlloc lpProcessInfo: 00000000025FA3A0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 0000000000000000"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 00000000025FA3A0 dwInformationSizeIn: 9936"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpObjectInfo: 00000000025FCAA0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] hHijackHandle: 00000000000003AC"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty][remote_tp_wait_insertion] ZwSetIoCompletion: 0"
DebugString: "[1384] [INJECT] inject_via_poolparty: injected!"
DebugString: "[1384] [INJECT] inject_via_poolparty: Sending a migrate response..."
DebugString: "[1384] [TRANSMIT] Sending packet to the server"

@dledda-r7 dledda-r7 marked this pull request as ready for review October 16, 2025 15:11
@dledda-r7 dledda-r7 changed the title WIP: Direct Syscall in Windows Meterpreter Direct Syscall in Windows Meterpreter Oct 16, 2025
@msutovsky-r7 msutovsky-r7 self-assigned this Oct 17, 2025
dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
cdelafuente-r7
cdelafuente-r7 reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @dledda-r7 ! I'm happy to see metsrv will benefit from Direct Syscalls now. Great job!

I left a few minor comments for you to review when you get a chance.

@dledda-r7
feat(windows/metsrv): Initial support for Direct Syscall
d994bd5
@dledda-r7
feat: direct syscall for memory managment and process open
3495208
@dledda-r7
fix: fix direct syscall, adding logging
d389c89
@dledda-r7
feat(windows/metsrv): extending kernel32 in met_api, adding wrappers …
27971c9 
…for majority of metsrv imports
@dledda-r7
fix: update missing WriteProcessMemory call to winapi
f3631c5
@dledda-r7
feat(windows/metsrv): exposing ntdll to met_api and updating kernel32…
16b904e 
… calls to use wrapper
@dledda-r7
feat(windows/metsrv): expanding kernel32 wrappers, updating kernel32 …
fcdb20e 
…calls to use wrapper
@dledda-r7
fix: fixing compilation issue on stdapi
b5c8a0b
@dledda-r7
fix: removing duplicated code, fixing compiling issue
e6982a9
@dledda-r7
fix: fix MSVC compiler issue
c93ab37
@dledda-r7
fix: fix MSVC compiler issue
4906559
@dledda-r7
fix: apply review changes
43fb436
@dledda-r7
feat: add advapi32, crypt32, user32, ws_32, wininet, rpcrt4, winhttp …
0b41eae 
…to winapi
@dledda-r7
fix: fix compile issue with stdapi
6967ff3
@dledda-r7
fix: fix compile issue with MSVC
c286a0f
@dledda-r7
fix: defaulting to wininet for winapi, fixing python extension compil…
8cf5e33 
…e on MSVC
@dledda-r7 dledda-r7 force-pushed the feat/metsrv-direct-syscall branch from f50ddbc to 8cf5e33 Compare October 27, 2025 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

Assignees

@msutovsky-r7 msutovsky-r7

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dledda-r7 @cdelafuente-r7 @msutovsky-r7